Cisco Enterprise NFV Infrastructure Software Vulnerabilities

Vulnerability

CVE-2022-20779 is a command injection vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) affecting versions prior to 4.7.1 [1][2]. The flaw resides in the image registration process, where the output of qemu-img info on a user-supplied image is unsanitized before being used in a shell command. An attacker can craft a malicious qcow2 image with a specially crafted backing file field containing injected commands, which are executed during registration [2].

Exploitation

An attacker with administrative access to NFVIS (via CLI, NETCONF, or REST API) can register a malicious image. The attacker creates a qcow2 image whose backing file field contains a command injection payload (e.g., ';cp /etc/shadow /data/intdatastore/uploads/;chmod 664 /data/intdatastore/uploads/shadow;echo '). When the image is registered using vm_lifecycle images image and committed, the injected commands execute with root privileges [2]. No user interaction beyond the admin performing the registration is required.

Impact

Successful exploitation allows an attacker to execute arbitrary commands as root on the NFVIS host, leading to full device compromise. This includes reading sensitive files (e.g., /etc/shadow), modifying system configurations, and potentially escaping from guest VMs to the host. The attacker gains complete control over the NFVIS appliance [2].

Mitigation

Cisco has released NFVIS version 4.7.1 to fix this vulnerability [1][2]. Users should upgrade to this version or later. As a workaround, administrators should sanitize the untrusted output of qemu-img before use and apply the principle of least privilege by handling image registration with a non-admin system user [2]. No other workarounds are documented.